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Abstract 

We present an algorithm to solve a system of diagonal polynomial equations over finite fields when 
the number of variables is greater than some fixed polynomial of the number of equations whose degree 
depends only on the degree of the polynomial equations. Our algorithm works in time polynomial in the 
number of equations and the logarithm of the size of the field, whenever the degree of the polynomial 
equations is constant. As a consequence we design polynomial time quantum algorithms for two algebraic 
hidden structure problems: for the hidden subgroup problem in certain semidirect product p-groups of 
constant nilpotency class, and for the multi-dimensional univariate hidden polynomial graph problem 
when the degree of the polynomials is constanfl 
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1 Introduction 


Finding small solutions in some well defined sense for a system of integer linear equations is an important, 
well studied, and computationally hard problem. Subset Sum, which asks the solvability of a single equation 
in the binary domain is one of Karp’s original 21 NP-complete problems m- 

The guarantees of many lattice based cryptographic systems come from the average case hardness of 
Short Integer Solution, dating back to Ajtai’s breakthrough work [5], where we try to find short nonzero 
vectors in a random integer lattice. Indeed, this problem has a remarkable worst case versus average case 
hardness property: solving it on the average is at least as hard as solving various lattice problems in the 
worst case, such as the decision version of the shortest vector problem, and finding short linearly independent 
vectors. 

Turning back to binary solutions, deciding if there exists a nontrivial zero-one solution of the system of 
linear equations 

aiiyi + ■. ■ + ainUn = 0 


^miVi T •. • T eijYijiyji — 0 


( 1 ) 


in the finite field F^, where g is a power of some prime number p, is easy when q = p = 2. However, by 
modifying the standard reduction of Satisfiability to Subset Sum m it can be shown that it is an NP-hard 
problem for g > 3. 
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The system (HD is equivalent to the system of equations 

+ ... + ainx'^'^ = 0 

T ■ ■ - T ClmnX‘^ — 0 


( 2 ) 


where we look for a nontrivial solution in the whole F^. 

In this paper we will consider finding a nonzero solution for a system of diagonal polynomial equations 
similar to (ED, but where more generally, the variables are raised to some power d > 2. We state formally 
this problem. 

Definition 1. The System of Diagonal Equations problem SDE is parametrized by a finite field and 
three positive integers n, m and d. 


SDE(Fq, n, m, d) 

Input: A system of polynomial equations over F^: 


aiixf + ... + ainxi = 0 

^ml^l T • ■ • “t“ a^YinX^ — 0 


Output: A nonzero solution {xi,..., Xn) 0 . 


( 3 ) 


Here 0 stands for the zero vector of length n. (We will use this notation where we want to stress the 
distinction between the zero element of a field and the zero vector of a vector space.) 

For j = l,...,n, let us denote by Vj the column vector {aij,...,amj)^ S F™. Then the system of 
equations (ED is the same as 

n 

(4) 

i=i 

That is, solving SDE(Fq, u, m, d) is equivalent to the task of representing the zero vector as a nontrivial 
linear combination of a subset of {ui,..., u„} with dth power coefficients. We present our algorithm actually 
as solving this vector problem. The special case d = q — 1 is the vector zero sum problem where the goal is 
to find a non-empty subset of the given vectors with zero sum. 

Under which conditions can we be sure that for system (ED there exists a nonzero solution? The elegant 
result of Chevalley [6] and Warning El] states that the number of solutions of a general (not necessary 
diagonal) system of polynomial equations is a multiple of the characteristic p of F^, whenever the number 
of variables is greater than the sum of the degrees of the polynomials. For diagonal systems (ED this means 
that when n > dm, the existence of a nonzero solution is assured. 

In general little is known about the complexity of finding another solution, given a solution of a system 
which satisfies the Chevalley-Warning condition. When q = 2, Papadimitriou has shown El] that this 
problem is in the complexity class Polynomial Parity Argument (PPA), the class of NP search problems 
where the existence of the solution is guaranteed by the fact that in every finite graph the number of vertices 
with odd degree is even. This implies that it cannot be NP-hard unless NP = co-NP. It is also unlikely that 
the problem is in P since Alon has shown E] that this would imply that there are no one-way permutations. 

Let us come back to our special system of equations (ED- In the case m = 1, a nonzero solution can be 
found in polynomial time for a single equation which satisfies the Chevalley condition due to the remarkable 
work of van de Woestijne ES] where he proves the following. 

Fact 2. In deterministic polynomial time in d and logg we can find a nontrivial solution for 

aixf -|- ... -I- ad+ix'^_,_i = 0. 
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In the case of more than one equation we don’t know how to find a nonzero solution for system ([3]) under 
just the Chevalley condition. However, if we relax the problem, and take much more variables than are 
required for the existence of a nonzero solution, we are able to give a polynomial time solution. Using van 
de Woestijne’s result for the one dimensional case, a simple recursion based on reducing one big system with 
m equations into d + 1 subsystems with m — 1 equations shows that if n > {d + 1)"* then SDE(Fq, n, m, d) 
can be solved in deterministic polynomial time in n and logg. The time complexity of this algorithm is 
therefore polynomial for any fixed m. The case when d is fixed and m grows appears to be more difficult. 
To our knowledge, the only existing result in this direction is the case d = 2 for which it was shown in the 
paper m by the authors and Sanselme that there exists a (randomized) algorithm that, when n = 
solves SDE(Fq, n, m, d) in polynomial time in n and logq. In the main result of this paper we generalize this 
result by showing, for every constant d, the existence of a deterministic algorithm that, for every n larger 
than some polynomial function of m, solves SDE(Fq, n, m, d) in polynomial time in n and logg. 

Theorem 3. Let d be constant. For n > d'^ + I)‘^*°s‘^, the problem SDE(Fq, n, m, d) can be solved 

in time polynomial in n and logg. 

The large number of variables that makes a polynomial time solution possible, unfortunately also makes 
our algorithm most probably irrelevant for cryptographic applications. Nonetheless, it turns out that the 
algorithm is widely applicable in quantum computing for solving efficiently various algebraic hidden structure 
problems. We now explain this connection. 

Simply speaking, in a hidden structure problem we have to find some hidden object related to some 
explicitly given algebraic structure A. We have access to an oracle input, which is an unknown member / 
of a family of black-box functions which map A to some finite set S. The task is to identify the hidden 
object solely from the information one can obtain by querying the oracle /. This means that the only useful 
information we can obtain is the structure of the level sets f~^{s) = {a G A : f{a) = s}, s G S', that is, we 
can only determine whether two elements in A are mapped to the same value or not. In these problems we 
say that the input / hides the hidden structure, the output of the problem. We define now the two problems 
for which we can apply our algorithm for SDE. 

Definition 4. The hidden subgroup problem HSP is parametrized by a finite group G and a family LI of 
subgroups of G. 

RSP{G,n) 

Oracle input: A function / from G to some finite set S. 

Promise: For some subgroup H G LL, we have 

fix) = fiy) Hx = Hy. 


Output: H. 

The hidden polynomial graph problem HPGP is parametrized by a finite field Fg and three positive integers 
n, m and d. 

HPGP(Fq, n, m, d). 

Oracle input: A function / from F^ x F™ to a finite set S. 

Promise: For some Q : F^ —>• F™, where Q{x) = [Qiix ),..., Qm(x)), and Qiix) is an n-variate 
degree d polynomial over F^ with zero constant term, we have 

fix, y) = fix', y') y - Qix) = y' - Qix'). 


Output: Q. 


While no classical algorithm can solve the HSP with polynomial query complexity even if the group G is 
abelian, one of the most powerful results of quantum computing is that it can be solved by a polynomial time 
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quantum algorithm for any abelian G. Shor’s factorization and discrete logarithm finding algorithms [26) . 
and Kitaev’s algorithm m for the abelian stabilizer problem are all special cases of this general solution. 

Extending the quantum solution of the abelian HSP to non abelian groups is an active research area 
since these instances include several algorithmically important problems. For example, efficient solutions 
for the dihedral and the symmetric group would imply efficient solutions, respectively, for several lattice 
problems |24] and for graph isomorphism. While the non abelian HSP has been solved efficiently by quantum 
algorithms in various groups [siiiiiiiiiTaiiiiioiiii], finding a general solution seems totally elusive. 

An extension in a seemingly different (not ’’group theoretical”) framework was proposed by Childs, 
Schulman and Vazirani [7] who considered the problem where the hidden object is a polynomial. To recover 
it we have at our disposal an oracle whose level sets coincide with the level sets of the polynomial. Childs et 
al. [7] showed that the quantum query complexity of this problem is polynomial in the logarithm of the field 
size when the degree and the number of variables are constant. The first time-efficient quantum algorithm 
was given by the authors with Decker and Wocjan [lOj for the case of multivariate quadratic polynomials 
over fields of constant characteristic. 

The hidden polynomial graph problem HPGP was dehned in [5] by Decker, Draisma and Wocjan. Here 
the hidden object is again a polynomial, but the oracle is more powerful than in [7] because it can also 
be queried on the graphs that are defined by the polynomial functions. They obtained a polynomial time 
quantum algorithm that correctly identifies the hidden polynomial when the degree and the number of 
variables are considered to be constant. In m, this result was extended to polynomials of constant degree 
in a framework that reveals relationship to the hidden subgroup problem. The version of the HPGP we 
define here is more general than the one considered in [5] in the sense that we are dealing not only with 
a single polynomial but with a vector of several polynomials. The restriction on the constant terms of the 
polynomials is due to the fact that level sets of two polynomials are the same if they differ only in their 
constant terms, and therefore the value of the constant term can not be recovered. 

It will be convenient for us to consider a slight variant of the hidden polynomial graph problem which we 
denote by HPGP^ The only difference between the two problems is that in the case of HPGP^ the input 
is not given by an oracle function but by the ability to access random level set states, which are quantum 
states of the form 

+ ( 5 ) 

where u is a random element of F™. Given an oracle input / for HPGP, a simple and efficient quantum 
algorithm can create such a random coset state. Therefore an efficient quantum algorithm for HPGP^ 
immediately provides an efficient quantum algorithm for HPGP. 

In the authors with Decker and Hpyer showed that HPGP^(Fq, \,m,d) is solvable in quantum poly¬ 
nomial time when d and m are both constant. Part of the quantum algorithm repeatedly solved instances 
of SDE(Fq, n, TO, d) under such conditions. We present here a modification of this method which works in 
polynomial time even if to is not constant. For simplicity, here we restrict ourselves to prime fields. This 
will be still sufficient for application to a hidden subgroup problem. 

Theorem 5. Let d be constant and p be a prime. //SDE(Fp, n, to, d) is solvable in (randomized) polynomial 
time for some n, then HPGP^(Fp, 1, to, d) is solvable in quantum polynomial time. 

Using Theorem [3] it is possible to dispense in the result of the authors with Decker and Hpyer with 
the assumption that to is constant. 

Corollary 6. If d is constant then HPGP^(Fp, 1, to, d) is solvable in quantum polynomial time. 

Bacon, Childs and van Dam in [5] have considered the HSP in p-groups of the form G = Fp x F™ when 
the hidden subgroup belongs to the family % of subgroups of order p which are not subgroups of the normal 
subgroup 0 X F™. They have found an efficient quantum algorithm for such groups as long as to is constant. 
In [To], based on arguments from |5] the authors with Decker and Hpyer sketched how the HSP(G,"H) can 
be translated into a hidden polynomial graph problem. For the sake of completeness we state here and prove 
the exact statement about such a reduction. 
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Proposition 7. Let d he the nilpotency class of a group G of the form Fp k F™. There is a polynomial time 
quantum algorithm which reduces HSP(G,'H) to HPGP^(Fp, 1 ,to, d). 

Putting together Corollary [ 6 ] and Proposition [3 it is also possible to get rid of the assumption that to is 
constant in the result of [S]. 

Corollary 8. If the nilpotency class of the group G of the form Fp k F™ is constant then HSP(G,'H) can 
be solved in quantum polynomial time. 

We illuminate the main ideas of the proof of Theorem |3] by showing special cases of weaker (randomized) 
versions for d = 2,3 in Section 2. Actually, randomization in these algorithms is only required to obtain 
quadratic and cubic nonresidues in Fg. We remark that assuming the Extended Riemann hypothesis, such 
nonresidues can be found even deterministically in time polynomial in logq, see [3]. The proof of Theorem[3] 
will be given in Section 3. There we also show how necessity of having nonresidues can be got around. 
Finally the proof of Proposition [7] will be given in Section 4, and the proof of Theorem [5] in Section 5. 

2 Warm-up: the quadratic and cubic cases 

2.1 The quadratic case 

Proposition 9. The problem SDE(Fq, (to + 1)^,to, 2) can be solved by a randomized algorithm in time 
polynomial in logq and to. 

Proof. We assume that p > 2 and that we have a non-square (( in F^ at hand. Such an element can be 
efficiently found by a random choice. Actually, this is the only point of our algorithm where randomization 
is used. Assuming ERH, even a deterministic polynomial time method exists for finding a non-square. Also, 
as we will see in Section 3, one can even get around the necessity of nonresidues. As we present this proof 
and that for the cubic case for showing the main lines of our general algorithm, we do not address this issue 
here. 

Our input is a set V of (to -|- 1)^ vectors in F™, and we want to represent the zero vector as a nontrivial 
linear combination of some vectors from V where all the coefficients are squares. The construction is based 
on the following. Pick any to -I- 1 vectors vi,..., Vm+i from V. Since they are linearly dependent, it is easy 

to represent the zero vector as a proper linear combination — 0 - Let Ji = {i : ^ = 1 } and 

q —1 

J 2 = {* : cTj ^ = —1}. Using C, we can find in deterministic polynomial time in logg by the Shanks-Tonelli 

algorithm [25] field elements /3i such that Ui = fif for i S Ji and a, = fif( for z G J 2 . Let wi = 

and W 2 = Then wi = —Cw 2 - Notice that we are done if either of the sets Ji or J 2 is empty. 

What we have done so far, can be considered as a high-level version of the approach of our earlier work |15j 
with Sanselme. The method of m then proceeds with recursion to to — 1 . Unfortunately, that approach 
is appropriate only in the quadratic case. Here we use a completely different idea which will turn to be 
extensible to more general degrees. 

From the vectors in V we form to -I-1 pairwise disjoint sets of vectors of size to -I-1. By the construction 
above, we compute wi(l), ^ 2 ( 1 ),..., wi{m + 1 ), W 2 {m + 1 ), where 

wi{i) =-Cw2{i), (6) 

for z = 1,..., TO -|- 1. Moreover, these 2 to vectors are represented as linear combinations with nonzero square 
coefficients of 2m pairwise disjoint nonempty subsets of the original vectors. 

Now zci(l),..., zci(to -I- 1) are linearly dependent and again we can find disjoint subsets Ji and J 2 and 
scalars 7 ^ for z G Ji U J 2 such that for wn — have zcn = —Cwi 2 . 

But then for W 21 = 7 i^^ 2 (*) and W 22 = Szejj using equation ([5]) for all z, we similarly have 

W 21 = —Cw 22 - On the other hand, if we sum up equation ([ 6 ]) for z G Ji, we get wu = —C'a' 21 - Therefore 

wii = (^W 22 and W 12 = W 21 = —(w 22 - 
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By Fact [5] we can find field elements (5ii, ^ 22 , < 5 i 2 , not all zero, such that C^<5ii ~ ‘^(^12 +^22 = 0; ^nd therefore 
(C^<5?i - 2 C( 5 i 2 + S'^ 2 )w 22 = 0. But 

- 2(6^2 + S22)w 22 = SfiWii + ^12(^12 + W21) + 5l2W22- 

Then expanding Sf^wii + Sf 2 {wi 2 + W 21 ) + S 22 W 22 = 0 gives a representation of the zero vector as a linear 
combination with square coefficients (squares of appropriate product of Ps, 7 s and 6s) of a subset of the 
original vectors. □ 

2.2 The cubic case 

Proposition 10. Let n = {9m + 1)(3to + 1)(to + 1). Then SDE(Fg, n, m, 3) can be solved by a randomized 
algorithm in time polynomial in m and logg. 

Proof. We assume that g — 1 is divisible by 3 since otherwise the problem is trivial. By a randomized 
polynomial time algorithm we can compute two elements C 21 C 3 from such that Ci = 1 ,C 2 jC 3 ^re a 
complete set of representatives of the cosets of the subgroup {a;^ : a; G F*} of F*. Let V be our input set of 
n vectors in F™, now we want to represent the zero vector as a nontrivial linear combination of some vectors 
from V where all the coefficients are cubes. 

As in the quadratic case, for any subset of m + 1 vectors ui,... ,Vm+i from V, we can easily find a 
proper linear combination summing to zero, ~ ^ “ 1)2,3, let Jr be the set of indices 

such that 0 ^ ai = PfCr- We know that at least one of these three sets is non-empty. For each 0 
we can efficiently identify the coset of ai and even hnd Pi using the method of m- Let wr = J2iejr 
Then -f C 2 W 2 -f = 0- Without loss of generality we can suppose that Ji is non-empty since if Jr is 
non-empty for r G { 2 , 3}, we can just multiply the a^s simultaneously by Ci/Cr- 

From any subset of size (3m -I- l)(m -I- 1) oiV we can form 3m -|- 1 groups of size m -|- 1, and within each 
group we can do the procedure outlined above. This way we obtain, for k = 1,..., 3m -I- 1, and r = 1, 2, 3, 
pairwise disjoint subsets Jr{k) of indices and vectors Wr{k) such that 

Ciwi{k) + C2W2{k) + Cswsik) = 0. (7) 

For k = 1,..., 3m + 1, we know that Ji(fc) 0 and the vectors Wr{k) are combinations of input vectors with 
indices form Jr{k) having coefficients which are nonzero cubes. Let W{k) G F^"* denote the vector obtained 
by concatenating wi{k), W 2 {k) and W 3 {k) (in this order). Then we can find three pairwise disjoint subsets 
Ml, M 2 , M 3 of {!,..., 3m -f 1}, and for each k G Mg, a nonzero field element 7 ^ such that 

s=i fceMs 

We can arrange that M 2 is non-empty. For r, s G {1, 2, 3}, set Jrs = UfeeM Jr{k) and Wrs = lk'^r{k). 

Then Wrs is a linear combination of input vectors with indices from Jrs having coefficients that are nonzero 
cubes. The equality ([8]) just states that (iWri + C 2 Wr 2 + = 0, for r = 1,2,3. Furthermore, summing 

up the equalities ([7]) for fc G Mg, we get Ciu^is + C 2 W 2 S + = 0, for s = 1, 2, 3. 

Continuing this way, from (9m -I- l)(3m -I- l)(m -I- 1) input vectors we can make 27 linear combinations 
with cubic coefficients Wrst, for r,s,t = 1,2,3, having pairwise disjoint supports such that the support of 
Wi 23 is non-empty and they satisfy the 27 equations 

Ciwist + C, 2 W 2 gt + fawnst = 0 (s,t = 1 , 2 ,3); 

Cl Writ + C,2Wr2t + Cs^rSt = 0 (r, t = 1 , 2 , 3); 

ClWrsl + C,2Wrs2 + CsWrsS = 0 (r, S = 1, 2, 3). 

From these we use the following 6 equations: 
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Ci ^ i 23 + C2W223 + C3W323 = 0 ; 

C1W132 + Q2W232 + C3W332 = 0 ; 

C1W213 + Q2W223 + C3W233 = 0; 

Ciw^3i2 + Q2W322 + Q3W332 = 0; 

Ciw^23i + Q2W232 + C3W233 = 0; 

C1W321 + C 2 W 322 + C3U>323 = 0. 

Adding these equalities with appropriate signs so that the terms with coefficients (2 and ^3 cancel and 
dividing by Ci, we obtain 

rci23 + a;23i + W 312 — W 132 — W 213 — W 321 = 0. (9) 

Observing that —1 = (—1)^, this gives a representation of zero as a linear combination of the input vec¬ 
tors with coefficients that are cubes. (Note that the algorithm described in this proof does not rely on 
van de Woestijne’s result Fact [2] This is because we were in a position to eliminate the (iS and obtained a 
linear dependency with coefficients ±1 which are always cubes of themselves in F^, independently of q.) 

□ 


3 The general case 

In this section we prove Theorem [3l First we make the simple observation that it is sufficient to solve 
SDE(Fg, n, m, d) in the case when d divides q — 1- If it is not the case, then let d' = gcd{d,q — 1). Then 
from a nonzero solution of the system 

n 

=0, 

t=i 

one can efficiently find a nonzero solution of the original equation. Indeed, the extended Euclidean algorithm 
efficiently finds a positive integer t such that td = u{q — 1) d' for some integer u. Then for any nonzero 
X G Fq we have = x'^ mod p, and therefore (x*,..., x(j) is a solution of equation (g]). 

From now on we suppose that d divides q — 1. Our algorithm will consist of two major procedures. The 
first one is devoted to finding two disjoint subsets of the input vectors, not both empty, and dth power 
coefficients such that the linear combinations of the vectors from the two subsets give equal vectors. Notice 
that this part already does the job when one of the two sets happen to be empty or d is odd (or, more 
generally, a dth root of —I is at hand). The second procedure consists of iterative applications of the first 
algorithm to obtain a vector with sufficiently many representations as linear combinations with dth power 
coefficients with pairwise disjoint supports. 

We will denote by C{d,m) the number of vectors (variables) used by our algorithm. For d = 1, we can 
obviously take C{l,m) = m + 1. 

The basic idea of the first algorithm is - like in the cubic and quadratic case outlined in the previous 
section - getting linear dependencies and effectively putting the coefficients of these dependencies into cosets 
of the multiplicative group of the dth powers on nonzero field elements. In the first subsection, based on an 
idea borrowed from |28) . we show how to do this without having nonresidues at hand. 

3.1 Classifying field elements 

During the procedures of this section, one of the basic tasks is the following. Given a nonzero field element 
a, one has to write a as a = where 1 = ^1, ..., Q are fixed elements. Ideally, the (i form a complete 
system of representatives of the cosets of the subgroup of the dth powers in the multiplicative group F*. 
Unfortunately, no deterministic polynomial time algorithm is known to find an element of a nontrivial coset 
(unless assuming the generalized Riemann hypothesis). Therefore, instead of the whole F*, we consider 
(roughly speaking) the subgroup generated by nonzero field elements already seen and we classify elements 
according to the cosets of dth powers of this subgroup. The classification fails (essentially) when we encounter 
an element outside this group. Then the subgroup, the sub-subgroup of its dth powers as well as the coset 
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representatives are updated and all the computations done so far are redone. Obviously, this can happen at 
most logq times, resulting a logg factor in complexity (but not in the bound on the number of input vectors 
necessary for success). 

To describe the details, we need some notation. Let tt be the set of prime divisors of d and tt' be the 
set of prime divisors of g — 1 outside tt. Then the multiplicative group F* is the (direct) product of two 
subgroups Htt and , where consists of the elements of order having prime factors from tt, while the 
element of Ht^i are those having an order whose prime factors are from tt'. Note that the primes in tt can 
be computed in time by factoring d. The primes in tt' do not need to be explicitly computed. Instead, 
by successively dividing g — 1 by the primes in tt, we can efficiently (that is, in time polynomial in log g) 
compute the order of the subgroup Ht^, which is the largest divisor of g — 1 coprime to d. Given an element 
a S F*, one can find in time polynomial in log g the unique elements 7 S and 7 ' G Ht^i such that a = 77 ' 
(see, e.g., [25] for details). Also, one can efficiently find the unique element 5' G such that 7 ' = . 

(Actually, 5' = 7 '*^ where rd=l modulo the order of iL,r'.) 

Instead of we use the subgroup H of the 7r-parts of the held elements given so far to the classihcation 
procedure as input. We assume that H is given by a generator ry. Elements 1 = Ci, ■ ■ ■, Cd ^ H are also 
assumed to be given such that they form a possibly redundant, but complete system of representatives of 
cosets of the subgroup H‘^ consisting of the dth powers from H. Initially 77 = 1 = Ci = • ■ • = Cd- Given 
a = 77 ', we (attempt to) compute the 77 -base discrete logarithm of 7 using the method of Pohlig and 
Heilman [23] . This takes time polynomial in d and logg. In the case of success, we can use the logarithm to 
locate the coset of 7 and write 7 as 7 = where 6 G H. Then a = where /3 = SS'. 

In the case of failure, we replace ?7 by a generator of the subgroup generated by 7 and rj and we replace 
C 2 , ■ ■ ■, Cd by 77 ,.. (repetitions may occur). We restart the whole algorithm with these new data. 

3.2 Finding colliding representations 

In this subsection we prove the following. 

Theorem 11 . Assume that d\q — 1 and put G{d,m) = d * 2 ^ (^rn + l)'^. Then, given G = G[d,m) input 
vectors vi,...,vg G F™, in time polynomial in G and logg, we can find two disjoint subsets I and J of 
G} with / 7 ^ 0 and nonzero field elements 77 G F* (j G IU J) such that it'^i — Thjej 7 ^'^7 • 

Proof. The algorithm follows the lines already presented in the proof of Proposition [151 for the cubic case. 
The main difference is that here we (possibly) need more rounds of iteration. For i = 1,... ,d, put Bfid, m) = 
d 2 (to -I- 1)^. For a = (ai ,... ,ai) G {1,..., d}^, for s G {!,..., d} and for 1 < g < ^, set 

^(1) (^1 5 ■ • ■ ) 5 ^7+1 5 ■ • ■) ^^) • 

Lemma 12. From B = Bi{d,m) input vectors vi,... ,vb, in time polynomial in B and logg, we can find 
d^ pairwise disjoint subsets Ja C {1,... ,B} and field elements fii,... ,Pb such that 7 ^ 0, and if we 

set Wa = then we have 

d 

= 0 , 

for every aG d}^ and j = 1,... 

Proof. We prove it by recursion on £. If £ = 1 then any Bi(d,m) = m + 1 vectors from F™ are linearly 
dependent. Therefore there exist ai,...,am+i G F^, not all zero, such that Using the 

procedure of Subsection l3.ll we find subsets Ji,..., Jd of {1,..., to-|- 1} and field elements fii {i G JiU- • -U J^), 
such that for i G Jr we have ai = frfif- At least one of the sets Jr is non-empty. If Ji is empty then we 
multiply the coefficients ai simultaneously by Ci/C^^ where Jr is nonempty to arrange that Ji becomes 
nonempty. 




To describe the recursive step, assume that we are given Bi+i{d,m) = d^{m + 1)B vectors. Put E = 
d^{m + 1), and for convenience assume that the input vectors are denoted by Vki^ for k = and 

i = 1,..., B. By the recursive hypothesis, for every k G {1,..., i?}, there exist subsets Ja{k) C {1, ... ,B} 
and field elements I3i{k) such that J{i.....e){k) ^ 0, and with Wa{k) = J2iej^(k) we have 

d 

= 0 , ( 10 ) 


for every a G {1 ,..., dY and j = 1 ,..., 

For every k = 1,..., £1, let W{k) be the concatenation of the vectors Wa{k) in a fixed, say the lexico¬ 
graphic, order of {1,..., dY- Then the lF(A:)’s are vectors of length d^m < E. Therefore there exist field 
elements a{l),... ,a{E), not all zero, such that Q!(A:)1F(A:) = 0. For a k such that a{k) Y let 

a(fc) = C,rl{kY for some 1 < r < d and 7(fc) G F*. The index r and 7(/c) are computed by the procedure 
of Subsection o For r = 1,..., d, let Mr be the set of fc’s such that a{k) = Crl{kY. We can arrange that 
is non-empty by simultaneously multiplying the a(fc)’s by Q+i/C^r for some r, if necessary. Observe 
that we have 

d 

Ec« E = (11) 

s=i feeM, 

For i G {l,...,i?} and k G {!,...,£!} set Yki = lY)PiY)- We fix a' G {1,..., d}^+^, and we set 
a = {a'l,. ..a'Y and r = a^i- We define J', = {{k,i) ■ k G Mr and i G JaY)} and w'^, = J2{k,i)ej', Yu'^ki- 

Then = J2keM Thl® equality, together with the equalities (ITUl) imply that for every j = 1 ,..., £, 

we have 

d 

E = 0- 

For j = i -\-l consider the equality (EH), from which follows that 

d 

E‘(s E iYYwYk) = o. 

s=i fceMs 

Expanding WgJY) in the inner sum 'Yhk^M, lYYwgYk) gives that it equals Thus also 


d 

E/ = 0, 


finishing the proof of the lemma. □ 

p___, ^ ^ , d{d — 1 ) ^ ^ J 

We apply the procedure of Lemma 1121 for £ = d. From B = Bd{d,m) = d 2 (to -|- 1) input vectors 
vi,... ,VB, we compute in time polynomial in logg and B subsets Ja, with J(i2...d) Y 0, as well as nonzero 
elements /3i,..., /3 _b G F, such that with Wa = have 

d 

^ ) Cs'a’a(7,s) = 0, (12) 

s=l 

for every j = 1,..., d and for every a G {1,..., d}'^. 

Tuples from {l,...,d}‘^ without repetitions are of special interest. We identify such a d-tuple a = 
(ai,... ,ad) with the permutation i ^ ai from the symmetric group Sd on {1,... ,d}. With some abuse 
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of notation, we denote this permutation also by a. By sgn(a) we denote the sign of a, considered as a 
permutation. The sign of a is 1 if a is even and —1 if a is odd. We show that 

sgn(a)u;a = 0. (13) 

aG Sd 


For a € Sd, let ja be the position of 1 in a and for every s € {1,..., d}, we denote by a[s] the sequence 
obtained from a by replacing 1 with s. Notice that a[s] = a{ja,s), therefore (fT^ implies 

d 

sgn(a) Y CsWa[,] = 0. (14) 

a^Sd s—1 


We claim that 

d 

Y Y = 0- (15) 

a^Sd s—2 

To see this, observe that for s > 1 the tuple a[s] has entries from {2,..., d}, where s occurs twice, while the 
others once. Any such sequence g' can come from exactly two permutations which differ by a transposition: 
these are obtained from a' by replacing one of the occurrences of s with 1. Then (IT^ is just the difference 
of equalities (ITdl) and (ITSl) . 

Put 

I = [J Ja, J = [J Ja and 7i = /3i for i e / U J. 

a even a odd 

(Here, a even resp. a odd abbreviates that a is an even or an odd permutation, respectively.) Then f|13p 
gives the desired pair of colliding representations. □ 


3.3 Accumulating collisions 

In this subsection we finish the proof of Theorem [3] 


Proof of Theorem\^ We assume that g — 1 is divisible by d. By Theorem I 111 from G{d,m) input vectors we 
can select two disjoint subsets, not both empty, and find dth power coefficients such that the corresponding 
linear combinations represent the same vector. Notice that we are done if this is the zero vector. 

When we have G{d,m)^ input vectors, the procedure of Theorem [TTl applied to G{d,m) groups of size 
G{d,m), gives G{d,m) vectors and two representations as linear combination with dth power coefhcients 
for each. (These combinations have 2G{d,m) pairwise disjoint sets as support.) Applying the procedure 
again to the G{d, m) vectors and multiplying the coefficients gives a vector with 4 representations as linear 
combinations having pairwise disjoint support and dth power coefficients. 

Iterating this, using G{d, niY input vectors, we obtain a vector with 2^ representations as linear combi¬ 
nations having pairwise disjoint support and coefficients that are explicit dth powers. When 2^ > d + 1, we 
can use Fact [2] to find field elements zi,, Zd+i, not all zero, such that zf + ... + zj_^_i = 0. Multiplying the 
coefficients of the fth representation by zf we obtain the desired representation of the zero vector. We have 

C(d,m) < G(d,m)r'°g 2 (<^+i)l < 


□ 


4 Application in Quantum computing 

4.1 Reduction from the special HSP to HPGP’ 

In this part we give the details of a reduction from a special instance of the hidden subgroup problem in 
groups which are semidirect products of an elementary abelian p-groups by a group of order p. The arguments 
here are quite standard. 


10 


Proof of Proposition A semidirect product group of the form Fp k F™ can be specified by an automorphism 
of F™. The automorphisms of F™ can be identified with nonsingular m x m matrices B over Fp such that 
BP = I. For such a matrix B, the group Gb =^pB F™ can be represented as the set of (m + 1) x (to + 1) 
matrices over Fp 


Bx 

0 


a; G Fp, u G F™ 


We choose the quantum encoding |a;)|u) for the matrix 


Mb{x,v) 



Let 



Then is a normal subgroup of G 
subgroup 


H„ = 


: X G Fp I and N = 
of index p and K D N = 
fB v\\ _ {f B^ v{x) 

lo i//“Uo 1 



l) ^ 

For every v G F™, consider the cyclic 
a; G Fp I , 


where 



{B^-'^ + --- + B^ +B°)v. 


Then T-L, the family of subgroups of Gb of order p which are not subgroups of N is exactly {Ply : v G F™}. 
The hidden function hides some member of PL. Since BP = / we also have {B — I)p = 0. It can be seen that 
if the nilpotency class of Gb is d then d is the smallest integer such that {B — = 0. In fact, if we let 

A = log B then the lower central series of Gb is the sequence consisting of the images of A, A^,, A‘^~^. 

Claim 13. The functions Vi(x) are polynomials with 0 constant term and of degree < d, for i = 1,... ,m. 


Proof. We have 


Then 


since A‘^ = 0. Therefore 


^ 1 _1 ~ ^ 

A = logB = J2^—iB-iy. 

a=i ^ 


3=0 


Ai 


X — 1 

v{x) = ^ B^v 
k^O 

x — 1d—1 A A 

d—1 .A x—1 

= E4fE^^- 


i-o 

d-l 






3=0 


11 




where po{x — 1) = x, and Pj(x) is a degree j + 1 polynomial expressed by the Faulhaber’s formula, for 
j = 1,... ,d— 1. It is known m that Pj{x) is divisible by a; + 1, for all j. Therefore indeed Vi{x) is a degree 
< d polynomial with constant member zero, for i = 1,... ,m. 

Let us now suppose that our input / to HSP(G'b,H) hides the subgroup 


□ 


= 


We can take as coset representatives 


N = 


v{x) 
0 1 


I u 
0 1 


: a; G Fr 


M G F: 


Since 


^0 1 

the left cosets of are of the form 


u + v{x) 
0 1 


/ u\ fB^ v{x) 

0 1 


B^ u + v{x) 
0 1 


: a; G Fp > = {MB(a;, at +'(;(a;)) : a; G Fp} , 


for u G F™. By a standard efficient quantum procedure we can create, for a random u G F™, the coset state 


|a;)|w + u(a:)). 




But this is also a random level set state of the function 


/ : Fp X F™ 


f: 


fix,y) = y-v{x), 


and therefore the input to HPGP^(Fp, 1, m, d) hiding the polynomial v(x). From the solution v{x) we can 
recreate the solution of the HSP problem since v = a'(l). 

□ 


5 Proof of Theorem [5] 

In this part we outline a modified version of the method of our work [9] with Decker and Hpyer. A critical 
ingredient is solving systems of diagonal polynomial equations with sufficiently many variables. At the time 
of writing polynomial time algorithms (except for the cases d = 1,2) were available only for the case when 
the number of equations is constant.) Now we have a version which works in polynomial time even if m is 
not constant. 

Proof of Theorem\^ (sketch). A solution for constant p is given in [lOj . (Interestingly, that solution goes 
through a reduction to the variant of the hidden subgroup problem with coset states as input in a p-group 
of nilpotency class d + 1 and exponent p. The latter problem is solved by the method of the paper [12] 
by the authors with Friedl, Magniez and Shen, which works efficiently in groups of constant derived length 
and constant exponent.) Thefore we may assume that p > d. Although this assumption is not essential, it 
simplifies presentation very much. 

The input for HPGP’ consists of uniform superpositions of random level sets states of the form ([5]), 
which, for the special case we have are states 


d 

i=i 
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for random (unknown) u S F™. To handle dependency on u, we apply the Fourier transform of F™ to the 
second register of such a state. The result is 

p-i 

^I2T=iVkUk 11t=iVkWjk\x)\y) = 

x—0 


where uj = and 

p-i 

\cl)y) = lx). 

X—0 

Measuring the second register we obtain, up to a global phase, the state \(f)y) with known y. We drop the 
useless states \(j)o). It can be seen that each y G F™ occurs with equal probability, therefore |0o) occurs with 
probability 

We rewrite \(j)y) in a more general form suitable for recursion. For hidden parameters ?7 i,..., 7?^ G Fp and 
for Y G let 

|V;y) := ^‘k=i YkVk 

X—0 

In words, the coefficient of in the phase of the state I'i/jy) is a linear combination of the hidden parameters 
with known coefficients Yji,..., Y,-^. Then |(()p) = jV'y), where i = dm, r](j_i)d+k = Wjk, Y,-,(j-i)d+/c = Uk, 
and = 0, for j, j' = 1,..., d, j' j, fc = 1,..., m. The goal is to determine the hidden parameters 

di, ■ ■ ■ 

Let n = n(l, d) be a positive integer such that for any positive integer d' < d nonzero solutions of systems 
of equations of the form 

n 

ior i = 
f=i 

in the variables ^1 ,..., ^„ can be found in time polynomial in n£logp. 

Using n level set superpositions, we obtain n states of the form j^’v) with various Y. More precisely, up 
to a global phase we obtain a state 


IV'yi) ■ • ■ IV'V") = 


P-1 


= X)fc=l + + X)fc = l |xi, 


Xi^...,Xji—0 


If the degree d term is completely missing from the phase of state IV^yi), that is, Y^^ = 0 for fc = 1,..., £, then 
we take \'4>y<-) ^md ignore all the other states. Otherwise we produce a similar state without degree d term 
as follows. (This is the point where the new algorithm differs from that of our eralier work with Decker 
and Hpyer. Originally the degree d terms had to be eliminated one-by-one which caused an exponential 
blowup of the costs in m. The main result of the present paper allows us to eliminate all the degree d terms 
simultaneously, in one step, saving the exponential blowup.) 

We find a nonzero solution (di,..., d„) G F" of the system of equations ^f^k = 0, for fc = 1,..., £. 

(We have to solve i homogeneous linear equations in Sf6^.) Then we add a fresh register initialized to 
J2t=o W’ subtract 6iX from the fth register. We obtain 

p— 1 p— 1 

^;Ej=i((a^i+'5ia:)'’ J 2 l=iYlkVk + --- + {xr,+S„xy E1 =i[ xi, . . . ,a;„)|x). 

X — 0 Xi,. ..,Xn=0 

Collecting the terms according to the degree of x in the phase, we can rewrite the state as 

Y Y ■ ,x„)|x). 

X = 0 . .,Xn—0 
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Here Zjk{xi ,..., Xn) is a degree d — j polynomial in a;i,..., Xn- By the choice of (5i,..., 6n, we have 


Zdkixi, . . . , Xn) — SiYjj. + . . . + dnY^k — 0. 


We also have 


Zd-i,kixi, ■ ■ ■ ,Xn) — dSf ^yJi^xi + ... + d6'|^ + < 5 ^ 


cd—l,k-\^n 

^dk’ 


We have 6i ^ 0, for at least one index i from 1,..., n. As is nonzero for at least one k, the polynomial 
Zd-i^k contains the term Xi with nonzero coefficient. Hence, for a random choice of xi,... ,x„, it will be 
nonzero with probability at least Therefore, if we measure the first n registers, we obtain a state of the 
form 

p-i 

^ ' )jjY,j = o 'Y,k=l ^jkrjk ^ 

a :—0 

where not all the vectors Zjk are zero. 

Starting with states with degree d phase (coming from n‘^~^ level set states), applying this procedure 
to groups of size n we obtain states with degree d — 1 phase, from which we can produce n‘^~^ degree 
d — 2 states and so on. Eventually, with overall failure probability at most n‘^/p, we obtain a state of the 
form 

p-i 

x —0 

with known Zi,...,Zk, not all zero. Applying the inverse Fourier transform of Fp, we obtain the value 
for Yfk=i ^kVk, that is, a linear equation for r]i,...,rji. Using this equation, we can substitute a linear 
combination of the others (and a constant term) into one of the parameters, and we can do a recursion with 
— 1 unknown parameters. 

The whole procedure uses level set superpositions, has overall failure probability £n‘^~^/p and 

requires poly(£n'^“^ fogp) time to determine the hidden coefficients Wj. For our task, we take £ = md. 

□ 
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